Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - AutoRun disabling patch released InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

AutoRun disabling patch released

Published: 2009-02-25
Last Updated: 2009-02-26 20:46:47 UTC
by donald smith (Version: 2)
1 comment(s)

Microsoft released a patch to correct the "disable autorun registry key" enforcement.
Updates are offered for the following OSes:
* Microsoft Windows 2000
* Windows XP Service Pack 2
* Windows XP Service Pack 3
* Windows Server 2003 Service Pack 1
* Windows Server 2003 Service Pack 2

The US Cert released an announcement stating that "Microsoft Windows does not disable AutoRun properly" back on January 20th.

"Disabling AutoRun on Microsoft Windows systems can help prevent the spread of malicious code. However, Microsoft's guidelines for disabling AutoRun are not fully effective, which could be considered a vulnerability."

The Conficker worm spreads via autorun and we have run several diaries about autorun issues.
Conficker ->
PictureFrame malware ->
PictureFrame Malware2 ->

UPDATE: A reader (Thanks Michael) wrote in saying that he was using xp home edition and was unable to follow the directions in microsofts KB article about using gpedit.msc to create a group policy. He is correct. XP home can't run gpedit.msc. XP home users need to follow the "How to selectively disable specific autorun features" steps. I recommend you modify the NoDriveTypeAutoRun value to 0xFF. That should disable autorun on ALL drives.

Keywords: autorun patch
1 comment(s)
Diary Archives